What's the Goal?

Without goals, and plans to reach them, you are like a ship that has set sail with no destination.

Fitzhugh Dodson

As is customary for a pleasant, Autumn day, I was out raking leaves this past Sunday when my neighbor's teenage son comes running out to talk to me.

He had noticed that I was using a standard rake (gasp!) and excitedly came over to offer their leaf blower for a few hours so I could finish clearing the yard faster.

My neighbor (naturally) assumed that my goal was to clear my yard of leaves, and so, noticing an inefficient process, offered a solution towards achieving this goal.

But, I politely declined the offer - because that wasn't really my goal. In fact, a truly efficient process like a leaf blower would have been at odds with my actual goals, namely:

• Spending some time outside on a nice day
• Getting my 5 year old son outside on a nice day and away from the screens and tablets
• Spending quality time with my son (he ended up buried in multiple leaf piles)
• Showing my son the value of several hours of manual work (he kept at it for about 15 minutes before finding the baseball gear)
• Getting my son to participate in some of that manual work

My neighbor had the right solution - but he was solving the wrong problem.

The same phenomenon occurs all the time in cybersecurity.

Sometimes we buy a new tool, build a new process, or configure new alerts, only to realize that our solution doesn't solve the problem - or, at least, it doesn't solve the problem we expect it to.

That is why a good cybersecurity program starts with identifying the right problems to solve - the right goals to achieve.

Are we trying to eliminate all vulnerabilities? Or just the exploitable vulnerabilities?

Are we trying to achieve a 0%-click rate for social awareness tests? Or just reduce the number of clicks and increase the rate and speed of reports?

Are we trying to log and monitor every single event, no matter how mundane? Or are we trying to log the important events and build a reasonable timeline of potential attacks?

Are we trying to stop all hackers, no matter how much time and money they have? Or just stop the most common attackers who are much more likely to target our particular business?

Depending on the goals and the problems we are trying to solve, the solutions will change. So, if we think we are trying to solve one problem (such as a clean lawn) but we are really trying to solve a different problem (father-son outdoor activity), then we may choose the wrong solution, and be frustrated by the outcome.

Start with the Why.

And build from there.

Security News

• Cybersecurity researches have flagged a massive campaign, codenamed EMERALDWHALE, that targets exposed Git configurations and is estimated to have collected 10,000 private repositories with 15,000 stolen credentials.
• A little over three dozen security vulnerabilities have been disclosed in various open-source artificial intelligence (AI) and machine learning (ML) models, some of which could lead to remote code execution and information theft.
• Cybersecurity researchers have disclosed a new phishing kit, known as Xiū gǒu, that has been put to use in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. since at least September 2024.
• A government entity and a religious organization in Taiwan were the target of a China-linked threat actor known as Evasive Panda that infected them with a previously undocumented post-compromise toolset codenamed CloudScout that is capable of retrieving data from various cloud services by leveraging stolen web session cookies.
• If you're running an application built using the Spring development framework, now is a good time to check it's fully updated – a new, critical-severity vulnerability has just been disclosed.
• The Russian nation-state threat actor tracked as Midnight Blizzard has been running spear-phishing campaigns to thousands of targets at more than 100 organizations, primarily in the United States and Europe.
• Interbank, one of Peru's leading financial institutions, has confirmed a data breach after a threat actor who hacked into its systems leaked stolen data online.
• A recently disclosed Microsoft SharePoint remote code execution (RCE) vulnerability tracked as CVE-2024-38094 is being exploited to gain initial access to corporate networks.
• LastPass is warning about an ongoing campaign where scammers are writing reviews for its Chrome extension to promote a fake customer support phone number. However, this phone number is part of a much larger campaign to trick callers into giving scammers remote access to their computers.
• A report by Canada's Communications Security Establishment (CSE) revealed that state-backed actors have collected valuable information from government networks for five years.

Until next time!

The Craft Compliance Team